One of our partners wanted to run our .NET Core software on a Linux box with SELinux enabled.
The end customers are "enterprisey" - financial institutions, government, defense,... and SELinux seemed to be a pretty hard requirement in that space.

They had a couple of challenges running .NET Core apps with SELinux enabled but were able to resolve them (I don't remember the details, sorry). I do know that saying that ".NET Core code runs in a VM, just like Java" apparently got them on the right track 😄 .

What would be very welcome is to have a reference guide/documentation on how to configure SELinux for (ASP).NET Core - i.e. what exceptions/policies to enable,... .

Happy to answer any further questions you may have, just ping me here.

Sorry for the delay @qmfrederik. The holidays kicked in.

What would be very welcome is to have a reference guide/documentation on how to configure SELinux for (ASP).NET Core - i.e. what exceptions/policies to enable,... .

That sounds like a good idea. This aligns with where I was wanting to end up. I'm looking for a set of customers to work with to find out which problems folks run into in the field. Our testing is often artificial/synthetic in nature, so doesn't cover the full spectrum of something like SELinux cases. It would be great if you could hook me up with your partner so that I could find out what there challenges and solutions were. I think you already have my email address.

@richlander should we move this issue to the docs repo to track it?

@janvorli Did this get fixed in .NET Core 2.1?

No activity in last 10 months, closing.

@karelz I don't understand closing this issue. I'm watching this issue because we need support for SELinux. Heck, @Petermarcu asked if this issue was fixed; and we even raised bugs because .NET Core on Alpine linux fails due to SELinux being enabled.

Put simply, this is a priority issue for us. With the bugs against SELinux documented for .NET Core, I thought that SELinux was a priority for you as well. Is it not?

How important is SELinux support for you?

It's important to be able to deploy to our customer environments (typically Red Hat with SELinux enabled). As .NET Core is the only well-supported C# runtime environment for linux; it is necessarily part of our development and testing strategy. Our Product's SAM is currently made up of agencies across the US Government; and in order to sell to them we must be able to support their security posture. SELinux is a part of that.

Source, DISA STIGs surrounding Red Hat 7:

RHEL-07-020210 | CCI-002696 | high | The operating system must enable SELinux. | Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. | If , this is a finding. | The SELinux state should be set to at system boot time. In the file /etc/selinux/config, add or correct the following line to configure the system to boot into enforcing mode:SELINUX=
-- | -- | -- | -- | -- | -- | --
RHEL-07-020220 | CCI-002696 | high | The operating system must enable the SELinux targeted policy. | Setting the SELinux policy to targeted or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services. Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in permissive mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to . | If , this is a finding. | The SELinux targeted policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in /etc/selinux/config:SELINUXTYPE=Other policies, such as mls, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.

https://people.redhat.com/swells/scap-security-guide/tables/table-rhel7-stig.html

What workloads do you intend to run with SELinux (or are doing so already)?

Server based (Web and background process) workloads; as well as crypto, SSH, and SNMP based workloads (Also WMI, but that's down the path).

Have you had challenges?

Yes. We wanted to use Alpine with .NET Core (reduced binary size from over 100MB to 35 MB per microservice), but there were showstopper bugs with SELinux and .NET Core 2.1.

What more should we be doing to support SELinux?

It should be a part of your testing and support strategy if you intend for products or usage within the secure US Government space.

@gortok I closed the issue, because it was a poll from @richlander - asking for feedback, etc. I was not under impression that this issue is tracking the work itself (of course I may be wrong).
Closing a poll issue is not statement of lower priority, or anything (honestly, I have no idea what's the status there - @richlander would know). This issue was closed just due to 10 months inactivity on the poll itself - and it looks like it triggered new input (which I assume is valuable to @richlander).

@richlander do you want to track the work itself here? If yes, we should reword the top post to clarify it, then reopen.

Very interested in this as well - our DOD work would benefit from this.

@gortok @h3smith Have you run into any SELinux issues with recent versions of .NET Core recently? Is there anything you can share here? Any pointers to how we can reproduce the bugs/issues?

(I work for Red Hat, and I care about resolving any SELinux issues that turn up. Either by fixing the issue or by extending the default SELinux policies where it makes sense.)

Not sure if this is still actual, but launching dotnet core under systemd

[Service]
ExecStart=/usr/bin/dotnet --version

produces a rather unhelpful error as of right now:
Failed to initialize CoreCLR, HRESULT: 0x80004005

Fedora 29, dotnet version 2.2.106 installed from sig repository

This problem still exists when trying to connect self-hosted Linux agents to TFS on-prem 2018 and 17. @omajid is right as SELinux is a critical RedHat stig that we can't simply POAM or ignore because of the policies that are enforced with it. Is there any way to re-activate this issue? Or has there been a patch to fix this? Currently experiencing it on

Rhel 7.6, kernel 3.10.0-957.21.3.el7.x86_64